Data Breach at TriZetto Provider Solutions Impacts its Healthcare Company Customers

December 14, 2025HIPAA News0

TriZetto Provider Solutions, a firm owned by Cognizant, that offers revenue management services to medical professionals, health systems, and hospitals, began informing some healthcare clients concerning a recently discovered cybersecurity incident.

On October 2, 2025, TriZetto found suspicious activity inside a website employed by a number of its healthcare organization clients to access the TriZetto network. It took quick action to protect the web portal and control the incident, and the cybersecurity company Mandiant looked into the incident, analyzed the security of the web portal software, and ensured that the incident was totally remediated. TriZetto reported that the attacker has been eliminated from its network. No more unauthorized website activity has been seen since October 2, 2025.

Though the cybersecurity breach was discovered just recently, the unauthorized access has been happening for a long time. The forensic investigation confirmed that an unauthorized third party initially started accessing historical eligibility transaction information within the TriZetto system in November 2024, roughly one year before finding the unauthorized access. The reports inside its database included the protected health information (PHI) of patients of some healthcare company clients.

Between October 2, 2025 and November 2025, Trizetto evaluated the information in the breached system to identify the types of data involved and the persons impacted. Data compromised in the attack includes the names of patients and primary insureds, combined with some or all of these data: birth date, address, medical insurance member number or Medicare beneficiary number, health insurance company name, details regarding the primary insured or beneficiary, other demographic health and health insurance information, and Social Security number. TriZetto claimed no financial facts were involved.

Breach notifications have been mailed to the affected healthcare customers, who were given a summary of the impacted persons and a copy of the compromised information. The HIPAA Breach Notification Rule requires sending notification letters to the affected people within 60 days of a HIPAA-regulated entity being advised concerning a data breach at a business associate. Should the affected healthcare companies abide by that HIPAA requirement, personal notifications for the affected persons need to be sent within 60 days.

TriZetto offered to take care of the breach notifications for the affected clients if they decide that breach notices are necessary under HIPAA. TriZetto also offered to advise the HHS OCR, government authorities, and the press on behalf of its covered entity customers, and will likewise take care of the cost of free fraud consultation, credit monitoring, and identity theft restoration services.

The number of healthcare company clients that were impacted or the degree of the data breach is at this time uncertain. Considering that its system was breached for 11 months, it is likely a massive data breach. Wait for updates to be reported.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.